Do We Need Information Security Outlaws?

I have to admit that I am an addict. I’m addicted to the FX program, Sons of Anarchy. The SOA is a motorcycle gang club operating outside the law in a small California town called Charming. The local police chief is in the club’s pocket, as is a particular county sherif’s deputy. The citizens of Charming revere the club, however, because of the protection they provide from all that is “wrong” with the world – unbridled commercialism, drugs, violence, and so on. In effect, the club is viewed as the hero by most Charming residents, but not everyone shares this point of view, which sets us up for today’s post.

In SOA you have groups of individuals: The gang club, local police, county police, Federal agencies (ATF in particular), pro-SOA citizens, anti-SOA citizens, rival gangs clubs, and (in season 2) white supremacists. Each group has a general disposition regarding the world around them, but the specific perspective of individuals comprising the group will vary to the point of extremes, including defection. Each group operates within a boundary of rules and goals, and sometimes those rules and goals overlap, but mostly they diverge, primarily because those rules and goals are specific to a particular group.

Here’s an example. In episode three of season two, the arian leader (an untouchable, to be sure) has identified a potential defector in the local police department and is convincing him to join efforts. He states: “…we both know your methods [operating within the boundary of the law] for extracting the Sons of Anarchy have failed, because they operate ouside the law. If you’re going to damage them you have to dip into their cesspool. It’s ugly. It’ll feel bad. But the result will be the salvation of Charming.”

The suggestion is, essentially, that if your adversary (SOA) is operating outside your constraints (the law), then you (law enforcement) need to operate outside those constraints to combat them effectively. In the information security world, we don’t (can’t?) think this way. Perhaps this is why we’re seeking broad, overreaching laws to give law enforcement what they need (see CISPA) – we feel that we need to operate inside the boundary of the law, so we create over broad laws at the expense of our civil liberties. What might really be needed is an operation outside the law – black ops, if you will. I’m not necessarily an advocate of this perspective, but am exploring the idea (I’m sure our legal department will be happy now).

What is better: Broaden our legal boundaries at the expense of civil liberties, or be willing to accept operating outside our existing legal boundaries?

At some level, each of us would sympathize with the vigilante justice delivered by SOA, even when we may personally disagree with their gun running operations. Moreover, I believe we all operate outside the law from time to time. When was the last time you drove the speed limit and used your turn signal properly? When was the last time you filed your taxes without bending a single rule? This is probably why groups like Anonymous and the Occupy movement are, from what I see, generally well-received. We can empathize with their perspective and motivation.

Our own government has established an offensive capability in a similar spirit, and there are lengthy, ongoing discussions in the global community about how to handle offensive cyber attacks against our common adversaries – essentially putting in new boundaries for the international community that wishes to play by the rules.

This post but touched on what is a much more complicated subject than can be treated in just a few hundred words. There are many questions to be asked before we can make any reasonable conclusions, but the subject matter – to me – is very interesting. Here are some questions for further discussion:

At what point would you consider it acceptable to operate outside the law in the context of information security?

When would you be willing to accept an SOA of information security (Anonymous?)? At what point do you believe “civil disobedience” extends to information security?

Do you believe there is a difference between protecting “critical infrastructure” and intellectual property (by extension, our economy)?